Merge pull request #42 from CodeNow/iptables

anandkumarpatel · web-flow · commit 4177bc2a5dc7 · 2017-01-10T16:09:21.000-08:00
Iptables
diff --git a/.gitignore b/.gitignore
@@ -10,3 +10,4 @@ consul-resources/vault/**/token-03
 key/rollbar.token
 .stubdata
 vault-resources/s3.policy.json
+.idea
diff --git a/init.sh b/init.sh
@@ -19,10 +19,13 @@ else
   export CONSUL_HOSTNAME
 fi
 
+export DOCKER_NETWORK=172.17.0.0/16
+
 source "${DOCK_INIT_BASE}/lib/consul.sh"
 source "${DOCK_INIT_BASE}/lib/aws.sh"
 source "${DOCK_INIT_BASE}/lib/dock.sh"
 source "${DOCK_INIT_BASE}/lib/container.sh"
+source "${DOCK_INIT_BASE}/lib/iptables.sh"
 source "${DOCK_INIT_BASE}/lib/util/log.sh"
 
 # Initializes the dock
@@ -35,6 +38,8 @@ main() {
   dock::set_hostname
   dock::set_config_org
   container::start
+  # rules must be run after docker has started
+  iptables::run_rules
   log::info "Init Done!"
 }
 
diff --git a/lib/container.sh b/lib/container.sh
@@ -104,7 +104,7 @@ container::_start_cadvisor_container() {
 
 container::_start_node_exporter_container() {
   local name="prom/node-exporter"
-  local version="0.12.0"
+  local version="v0.13.0"
 
   log::info "Starting ${name}:${version} container"
   local docker_logs
@@ -113,10 +113,16 @@ container::_start_node_exporter_container() {
     --detach=true \
     --restart=always \
     --net=host \
+    --volume=/proc:/host/proc \
+    --volume=/sys:/host/sys \
+    --volume=/:/rootfs \
     --memory=100mb \
     --memory-reservation=50mb \
     "${name}:${version}" \
     --collectors.enabled=conntrack,diskstats,filefd,filesystem,loadavg,meminfo,netdev,netstat,stat,time \
+    --collector.procfs=/host/proc \
+    --collector.sysfs=/host/sys \
+    --collector.filesystem.ignored-mount-points="/rootfs/docker/aufs|/sys|/etc|/proc|/dev|/rootfs/run|/$" \
     --web.listen-address=:29006)
 
   if [[ "$?" -gt "0" ]]; then
diff --git a/lib/iptables.sh b/lib/iptables.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+source "${DOCK_INIT_BASE}/lib/util/log.sh"
+
+iptables::run_rules() {
+  log::info "setting up iptable rules"
+  # drop pings
+  iptables -I INPUT -p icmp --icmp-type echo-request -m state --state ESTABLISHED -j DROP
+
+  # prevent containers from talking to host
+  iptables -I INPUT -s ${DOCKER_NETWORK} -d 10.0.0.0/8 -m state --state NEW -j DROP
+
+  # drop all new traffic from container ip to runnable infra
+  iptables -I FORWARD -s ${DOCKER_NETWORK} -d 10.0.0.0/8 -m state --state NEW -j DROP
+  # log container traffic for PSAD
+  iptables -I FORWARD -s ${DOCKER_NETWORK} -j LOG
+  # drop all local container to container traffic
+  iptables -I FORWARD -s ${DOCKER_NETWORK} -d ${DOCKER_NETWORK} -j DROP
+  # allow consul access (should be before drop)
+  iptables -I FORWARD -s ${DOCKER_NETWORK} -d ${CONSUL_HOSTNAME} -j ACCEPT
+
+  DNS_IP=`iptables::_find_aws_dns_ip`
+  # allow aws DNS server queries (must be first)
+  iptables -I FORWARD -s ${DOCKER_NETWORK} -d ${DNS_IP} -j ACCEPT
+
+  # drop all new traffic from container to runnable infra
+  iptables -I OUTPUT -s ${DOCKER_NETWORK} -d 10.0.0.0/8 -m state --state NEW -j DROP
+}
+
+iptables::_find_aws_dns_ip() {
+  cat /etc/resolv.conf | grep name | cut -d' ' -f 2
+}
